Authentication shortcomings leave sensitive data at risk

Many small businesses are yet to adopt multi-factor authentication

Fewer than half of small and medium-sized businesses are using multi-factor authentication (MFA) to secure critical data, according to new research.

The Cyber Readiness Institute's Global Small Business Multi-Factor Authentication (MFA) study found that most are still relying only on usernames and passwords to secure employee, customer, and partner data. Only 46% have implemented MFA, with just 13% requiring its use for most account or application access by employees.

Catch up on the latest authentication news

Meanwhile, of those that do use MFA, only 39% have a process for prioritizing critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available”.

"Using a strong password is important, but complexity alone isn’t enough; adding a second layer of protection with multi-factor authentication is the best way to secure access to personal accounts," said Meg Anderson, vice president-chief information security officer at Principal Financial Group.

"MFA makes it more difficult for potential cybercriminals to gain access and steal company data – even if they have, or guess, your password."

What’s the benefit?

Lack of awareness appears to be the main reason for the low take-up of more advanced authentication options. Indeed, 55% of small and medium-sized businesses surveyed said they were “not very aware” of MFA and its security benefits, and only 40% have discussed it with their employees. Meanwhile, of those that haven't implemented MFA, 47% said they either didn’t understand it or didn’t see its value.

Karen Evans, managing director of CRI, told The Daily Swig: "Unfortunately, I’m not surprised. Some small businesses hear a term like ‘multi-factor authentication’ and think it doesn’t apply to them or they don’t need to worry about it."

Evans continued: "With good security practices and office cultures supporting proactive measures, we can assist the SMBs to reduce their risks, rather than simply convincing people it won’t be hard to implement and costly to utilize."


Other barriers to the use of MFA cited in the study include a lack of funding for tools, implementation resources, and maintenance costs, as well as a lack of technical expertise.

These issues, though, shouldn't be barriers, according to Evans.

"Many of the products and services have two-factor and multi-factor capabilities already built in. It is assisting SMBs to understand how to take advantage of the capabilities they have already purchased," she said.

"There are also changes coming in the future as it relates to going passwordless in operating systems allowing security to be built in up front, making the services more affordable for their customers."

RELATED Cloudflare CTO John Graham-Cumming envisages a frictionless future for website Turing tests